Stolen PC locator plays double agent, say researchers

LoJack for Laptops, a software tool designed to rat on computer thieves, appears to be serving a double purpose – by seemingly working with a Russian state-sponsored hacking team.

The application allows administrators to remotely lock and locate, and remove files from, stolen personal computers. It's primarily aimed at corporate IT types who want to protect stuff that gets nicked, but anyone can use it, and it is installed by default on various notebooks.

Just recently, several LoJack executables were found to be unexpectedly communicating with servers that are suspected to be under the control of Fancy Bear, a hacking group associated with Russia's GRU military intelligence agency.

In a report published on Tuesday, security researchers at Netscout's Arbor Networks said they have found five LoJack agents (rpcnetp.exe) that point to four suspicious command-and-control domains, three of which have been associated with Fancy Bear in the past. It is feared someone has secretly backdoored certain copies of LoJack so that it acts as remote-controlled spyware for the Kremlin.

"Our analysis has revealed a small number of modified agents," said Hardik Modi, director of Arbor's Security Engineering & Response Team (ASERT), in an email to The Register. "This is consistent with a targeted operation. We're cooperating with numerous parties on this matter."

Kremlin-linked hacker crew's tactics exposed

The finding is troubling because LoJack's software, in its anti-theft capacity, is designed to operate discreetly and to remain on systems where it has been installed even after hard drive replacement and system re-imaging.

The low-level access enjoyed by security applications, and the high-level of trust afforded to them, make programs like LoJack appealing targets for subversion.

ASERT observes that many anti-virus vendors mark LoJack executables as "not-a-virus" or "Risk Tool" rather than flagging them as potential malware. Russian state-backed hackers allegedly used Kaspersky Lab's security software for similar ends.

Though designed to protect laptops from theft, LoJack implements only minimal security to safeguard its own data.

"The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content," the report says. "Once an attacker properly modifies this value then the double-agent is ready to go."

This weakness was raised in security research presented at the Black Hat conference in 2014.

At the time, researchers Vitaliy Kamlyuk, Sergey Belov and Anibal Sacco said that it would be easy to alter the registry configuration block, where the command-and-control URL is stored, to make the software communicate with a malicious domain.

ASERT said while it wasn't sure about the initial attack vector, Fancy Bear in the past has used phishing messages to deliver malware.

In statement emailed to The Register, a spokesperson for Absolute Software said the company was aware of the Arbor Networks report.

"We have spoken to Arbor regarding the claims in this report and are investigating this matter internally," a company spokesperson said. "At this time, we do not believe that this has impacted any customers or partners, but are taking every precaution to ensure any concerns are promptly addressed.” ®